Vulnerability could allow a local user to launch a denial of service attack
Linux flaw could lead to DoS attacks
/v3-uk/news/1952889/linux-flaw-lead-dos-attacks
07 Apr 2006, Matt Chapman , V3
A security flaw has been found in Linux kernel version 2.6.x that could allow malicious local users to cause a denial of service attack, according to an advisory from security firm Secunia.
The vulnerability is caused by an out-of-bounds memory error in the 'fill_write_buffer()' function in 'sysfs/file.c'.
The problem occurs when writing a PAGE_SIZE amount of data that does not contain any zeroes to a 'sysfs' file.
The vulnerability has been fixed in version 2.6.17-rc1 of the Linux kernel, and users are advised to download the latest patch immediately.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Do not update to 2.6.17-rc1
Users are recommended to install a development version of the kernel?! Please get your facts right, noone will ever recommend normal users to run an RC1 kernel, which contains all latest development code and has its share of bugs...
Posted by Frederik, 09 Apr 2006
Doesn't look dangerous
Looking at the sysfs filesystem on my machine nothing in there can we written to by anyone other than root, so it looks like you need to be root to trigger this exploit.
On most machines if you're root you can do anything you want anyway. Even if you're using capabilities to limit what root can do, I'd hope whoever you allow access to the root account can be trusted not to try a denail of service attack.
Posted by Richard, 07 Apr 2006